Skip to content

DS0012 Script

A file or stream containing a list of commands, allowing them to be launched in sequence312

Item Value
ID DS0012
Platforms Windows
Collection Layers Host
Version 1.1
Created 20 October 2021
Last Modified 07 December 2022

Data Components

Script Execution

The execution of a text file that contains code via the interpreter (e.g. Powershell, WMI, Windows EID 4104, etc.)

Domain ID Name
enterprise T1560 Archive Collected Data
enterprise T1560.002 Archive via Library
enterprise T1560.003 Archive via Custom Method
enterprise T1119 Automated Collection
ics T0802 Automated Collection
enterprise T1020 Automated Exfiltration
enterprise T1651 Cloud Administration Command
enterprise T1059 Command and Scripting Interpreter
enterprise T1059.001 PowerShell
enterprise T1059.005 Visual Basic
enterprise T1059.007 JavaScript
enterprise T1005 Data from Local System
ics T0893 Data from Local System
enterprise T1140 Deobfuscate/Decode Files or Information
enterprise T1482 Domain Trust Discovery
enterprise T1615 Group Policy Discovery
enterprise T1564 Hide Artifacts
enterprise T1564.003 Hidden Window
enterprise T1564.007 VBA Stomping
enterprise T1562 Impair Defenses
enterprise T1562.002 Disable Windows Event Logging
enterprise T1056 Input Capture
enterprise T1056.002 GUI Input Capture
enterprise T1559 Inter-Process Communication
enterprise T1559.001 Component Object Model
enterprise T1559.002 Dynamic Data Exchange
enterprise T1556 Modify Authentication Process
enterprise T1556.005 Reversible Encryption
ics T0840 Network Connection Enumeration
enterprise T1027 Obfuscated Files or Information
enterprise T1027.010 Command Obfuscation
enterprise T1620 Reflective Code Loading
ics T0853 Scripting
enterprise T1016 System Network Configuration Discovery
enterprise T1216 System Script Proxy Execution
enterprise T1216.001 PubPrn

References

  1. Dunwoody, M. (2016, February 11). Greater Visibility Through PowerShell Logging. Retrieved September 28, 2021. 

  2. Microsoft. (2019, April 19). Antimalware Scan Interface (AMSI). Retrieved September 28, 2021. 

  3. Microsoft. (2020, March 30). about_Logging_Windows. Retrieved September 28, 2021. 

  4. Adrien Bataille, Anders Vejlby, Jared Scott Wilson, and Nader Zaveri. (2021, December 14). Azure Run Command for Dummies. Retrieved March 13, 2023. 

  5. Sayre, K., Ogden, H., Roberts, C. (2018, October 10). VBA Stomping — Advanced Maldoc Techniques. Retrieved September 17, 2020. 

  6. Bontchev, V. (2019, July 30). pcodedmp.py - A VBA p-code disassembler. Retrieved September 17, 2020. 

  7. decalage2. (2019, December 3). python-oletools. Retrieved September 18, 2020. 

  8. MDSec Research. (n.d.). Detecting and Advancing In-Memory .NET Tradecraft. Retrieved October 4, 2021. 

  9. The Wover. (2019, May 9). Donut - Injecting .NET Assemblies as Shellcode. Retrieved October 4, 2021. 

  10. Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June 10, 2019. 

  11. Nelson, M. (2017, January 5). Lateral Movement using the MMC20 Application COM Object. Retrieved November 21, 2017.